How Do I configure Okteto with cert-manager and AWS Route53?

How do I configure the Okteto wildcard certificate with cert-manager and Route53?

The recommended solution is to use IAM Roles for service accounts.

In order to do that, configure a role with the following policy permissions:

  {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "route53:GetChange",
            "Resource": "arn:aws:route53:::change/*"
        },
        {
            "Effect": "Allow",
            "Action": "route53:ChangeResourceRecordSets",
            "Resource": "arn:aws:route53:::hostedzone/*"
        },
    ]
}

Create an AWS IAM Role for the cert-manager service account. Replace the variables below with your own information.

eksctl create iamserviceaccount \
  --cluster $CLUSTER_NAME \
  --region $REGION \
  --name cert-manager \
  --namespace $RELEASE_NAMESPACE \
  --attach-policy-arn $POLICY_ARN \
  --role-name ${YOUR_ROLE_NAME} \
  --role-only \
  --approve

and add these options to your cert-manager Helm configuration file:

  extraArgs: [--issuer-ambient-credentials=true]
  serviceAccount:
    annotations:
      eks.amazonaws.com/role-arn: 'arn:aws:iam::<<aws-account-id>>:role/<<your-role-name>>'

Once your cert-manager is configured this way, create the following Issuer in the okteto namespace:

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: okteto-letsencrypt
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email:  "<<your-email>>"
    privateKeySecretRef:
      name: okteto-letsencrypt
    solvers:
    - http01:
        ingress:
          serviceType: ClusterIP
          class: nginx
    - dns01:
        route53:            
          region: "<<your-cluster-region>>"

and the following Certificate:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
 name: okteto-letsencrypt
spec:
 secretName: okteto-letsencrypt
 duration: 8760h0m0s
 renewBefore: 600h0m0s # 25d
 issuerRef:
   name: okteto-letsencrypt
   kind: Issuer
 dnsNames:
   - "*.<<your-okteto-subdomain>>"

Now, add the following to your Okteto Helm configuration file to tell Okteto and NGINX to use your certificate:

wildcardCertificate:
  create: false
  name: okteto-letsencrypt

ingress-nginx:
  controller:
    extraArgs:
      default-ssl-certificate: $(POD_NAMESPACE)/okteto-letsencrypt

Finally, upgrade your Okteto installation for the new configuration to be applied.